# HackTheBox-Toxic
We are given an archive to download which inlcudes source code of web page
Looking at the web page we have no interaction with the page
So the next thing is to actually look at the source code which is given and that we extracted earlier
We have this `index.php` file which is using `preg_match` to find directory `Model` and in that it's going to grab a file which is passed trough `$name` parameter and then it's including that file using `include`
Here an object is being made for the class name `PageModel` , if we look for other files we'll do see a file named PageModel.php which has the following contents
It has public variable name called `$file` which will hold a file name to be included which will be called through magic function named `__destruct` which call it's self when the script reaches it's end basically it destorys the object.
Coming back to index.php , that object is going to access the public variable `file` which will assign a string to it `/www/index.html` meaning that this variable now holds the index.html file which is going to be called in `include` function of the class meaning that this file will be displayed on the browser but we don't know yet how it's going to be passed.
Next a php session cookie is being set by encoding the variable's value to base64 and seriliazing it , `time()+60*60*24` just tells when the cookie is going to be expired and according this it will expire in 60 hours ,60 minutes and 24 seconds and `/` is telling the location for the cookie
This part is important as now `$cookie` variable is going to hold decoded value meaning the serilized object and then it's going to be unserilized meaning that the proper file name will be passed into the destruct function
As you can see we have our serilized object so let's break down this
`O` - This tells us that this is an object, `9` - This is telling us that this object is of PageModel class having the lenght of 9 chracters
`1` - This tells us that there's only one object
`s` - This tells us that it's a string , `4` with four chracters and then again it tells us about the file name with it's absolute path that it's 15 characters long and it's a string value
So now I thought of if I could make php file having this content in it `` so then I could call that file name through changing the filename in cookie and decoding it back to base64 so it would be loaded through `__destruct` function but there's no interaction on the web page to upload files so this won't work like that
Now we can pass a file name into the cookie by replacing `/www/index.html` with the file name but we don't know a file that we can view so I'll go with `/etc/passwd` file which holds information for users on the linux system , for that we need to get the length for the file name
It's 11 characters so we'll do it like this
Now just replace the base64 encoded string in cookie field and we'll get `/etc/passwd` file to be loaded on the browser
https://i.imgur.com/82bPzNN.png
Notice earlier in the archive file we had `config` folder
We have `nginx.conf` file meaning that proably this is being hosted through nginx and from the config file we can see that it is !
We can try to poison nginx's access log file `/var/log/nginx/access.log`
And boom
Now it's left to poison them by adding php code un `User-Agent`
We can see the randomly generated file name for the flag so we can just use `cat` to get the contents